Bug 266865

Summary:

net/routinator: Update to 0.11.3

Product:

Ports & Packages

Reporter:

Jaap Akkerhuis <jaap>

Component:

Individual Port(s)

Assignee:

Fernando Apesteguía <fernape>

Status:

Closed FIXED

Severity:

Affects Many People

CC:

eduardo, fernape, ports-secteam

Priority:

---

Keywords:

security

Version:

Latest

Flags:

fernape: merge-quarterly+

Hardware:

Any

OS:

Any

URL:

https://github.com/NLnetLabs/routinator/releases

Attachments:

Description	Flags
patch to update	jaap: maintainer-approval+
vuxml entry" CVE-2022-3029 -- potential DOS attack	none

Description Jaap Akkerhuis 2022-10-06 12:30:25 UTC

Created attachment 237120 [details]
patch to update

This is an important security release. All users of Routinator 0.9.0 up to 0.11.2 are encouraged to upgrade at their earliest convenience.

Bug Fixes

Fixes an issue in error handling in the RRDP collector that causes
Routinator to exit if it encountered malformed base r64 in RRDP snapshot
and delta files. (Found by Donika Mirdita and Haya Shulman. Assigned
CVE-2022-3029.) (#781)

(See https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt for details)

Comment 1 Nuno Teixeira freebsd_committer

2022-10-06 17:24:45 UTC

Hi,

Could you provide a vuxml entry?

Thanks

Comment 2 Jaap Akkerhuis 2022-10-07 13:06:48 UTC

(In reply to Nuno Teixeira from comment #1)
I can (and did) using security/vuxml but where do I send it to? I never have figured out how to do that

Comment 3 Nuno Teixeira freebsd_committer

2022-10-07 13:25:46 UTC

(In reply to Jaap Akkerhuis from comment #2)

https://docs.freebsd.org/en/books/porters-handbook/book/#security-notify-vuxml-db

An example: https://cgit.freebsd.org/ports/commit/?id=4c5b101930584d59822335a4a7cf82ae17096c5a

Cheers

Comment 4 Jaap Akkerhuis 2022-10-07 13:50:48 UTC

Created attachment 237141 [details]
vuxml entry" CVE-2022-3029 -- potential DOS attack

vuxml: CVE-2022-3029 -- potential DOS attack

Comment 5 Fernando Apesteguía freebsd_committer

2022-10-07 15:36:33 UTC

(In reply to Jaap Akkerhuis from comment #4)
Thanks for the vuxml entry.

The port is queued for build testing.

Thanks!

Comment 6 commit-hook freebsd_committer

2022-10-07 15:51:19 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=1db6001e2a6f0733cea74b757c2a186b3fddae0a

commit 1db6001e2a6f0733cea74b757c2a186b3fddae0a
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2022-10-07 15:45:00 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-10-07 15:45:00 +0000

    net/routinator: Add net/routinator CVE

    Recent versions of Routinator contain a problem that causes Routinator to
    exit if it encounters invalid data in RRDP snapshot or delta files.

    Details: https://nlnetlabs.nl/downloads/routinator/CVE-2022-3029.txt

    PR:             266865
    Reported by:    jaap@NLnetLabs.nl

 security/vuxml/vuln-2022.xml | 42 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)

Comment 7 commit-hook freebsd_committer

2022-10-09 11:53:56 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3488bf3779725a73032aeff271926dee14e10e70

commit 3488bf3779725a73032aeff271926dee14e10e70
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2022-10-07 06:07:35 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-10-09 11:49:22 +0000

    net/routinator: Update to 0.11.3

    ChangeLog: https://github.com/NLnetLabs/routinator/releases

    Fixes an issue in error handling in the RRDP collector that causes
    Routinator to exit if it encountered malformed base r64 in RRDP snapshot
    and delta files. (Found by Donika Mirdita and Haya Shulman. Assigned
    CVE-2022-3029.)

    PR:             266865
    Reported by:    jaap@NLnetLabs.nl (maintainer)
    MFH:            2022Q4  (security fix release)
    Security:       CVE-2022-302

 net/routinator/Makefile            | 3 +--
 net/routinator/distinfo            | 6 +++---
 net/routinator/files/routinator.in | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

Comment 8 commit-hook freebsd_committer

2022-10-09 11:55:58 UTC

A commit in branch 2022Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=f0faa07fdb18701f682e0ea36f0b0ea3c1060055

commit f0faa07fdb18701f682e0ea36f0b0ea3c1060055
Author:     Jaap Akkerhuis <jaap@NLnetLabs.nl>
AuthorDate: 2022-10-07 06:07:35 +0000
Commit:     Fernando Apesteguía <fernape@FreeBSD.org>
CommitDate: 2022-10-09 11:51:21 +0000

    net/routinator: Update to 0.11.3

    ChangeLog: https://github.com/NLnetLabs/routinator/releases

    Fixes an issue in error handling in the RRDP collector that causes
    Routinator to exit if it encountered malformed base r64 in RRDP snapshot
    and delta files. (Found by Donika Mirdita and Haya Shulman. Assigned
    CVE-2022-3029.)

    PR:             266865
    Reported by:    jaap@NLnetLabs.nl (maintainer)
    MFH:            2022Q4  (security fix release)
    Security:       CVE-2022-302

    (cherry picked from commit 3488bf3779725a73032aeff271926dee14e10e70)

 net/routinator/Makefile            | 3 +--
 net/routinator/distinfo            | 6 +++---
 net/routinator/files/routinator.in | 2 +-
 3 files changed, 5 insertions(+), 6 deletions(-)

Comment 9 Fernando Apesteguía freebsd_committer

2022-10-09 11:56:14 UTC

Committed and merged to 2022Q4.

Thanks!